(Translated by https://www.hiragana.jp/)
⚓ T345249 Mitigate phase-out of third-party cookies in CentralAuth
Page MenuHomePhabricator
Create Task
Maniphest T345249

Mitigate phase-out of third-party cookies in CentralAuth
Open, Needs TriagePublic
Actions

Description

tl;dr CentralAuth autologin (the ability to log in on one wiki and be also logged in everywhere else without having to enter credentials again on every site) has been significantly degraded to a non-trivial fraction of our users due to browsers' anti-tracking measures, and will probably be degraded for everyone by 2024 summer.

Problem description

See T345245: Mitigate phase-out of third-party cookies across in Wikimedia production for context and links to relevant documentation.

CentralAuth uses two session mechanism: cookies set on the shared domain of the wiki family (e.g. on wikipedia.org in the case of en.wikipedia.org) and cookies set on a designated central domain (login.wikimedia.org). The first mechanism is considered as a first-party cookie, and not affected. The second mechanism is considered as a third-party cookie, and is at risk of breaking.

There used to be three workflows using the central domain:

  • After login, the user is redirected to the central domain and back, to invisibly set a session cookie on the central domain.
  • After login, a set of images is included in the page, one for each shared domain other than the current one (e.g. if you log in on en.wikipedia.org, the landing page will embed an image from meta.wikimedia.org, en.wikisource.org, en.wiktionary.org etc.), and each one will go through a redirect cycle of several steps which establishes the user's identity by going to the central domain, then returns to the initial domain and sets session cookies there, essentially logging in the user on all those domains in the background. (This is referred to as "edge login".)
  • If you arrive to a wiki where you are not logged in (either because it's too insignificant to be included in edge login, such as outreach.wikimedia.org, or because edge login didn't work, expired etc), a similar redirect chain happens via a <script> tag; after a successful login it might reload the page, or suggest the user via a notice to reload, or just kind-of simulate a reload by replacing the user menu.
  • A fourth mechanism was added by T326281: Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies): when you are not logged in and visit the login page, the same redirect chain is attempted at the top level.

The first and fourth flow are what browsers call "bounce tracking" or "redirect tracking"; it's mostly allowed today, although definitely within the sight of browser vendors. (It might cause issues in Safari, which does sometimes drastically reduce cookie lifetimes when it detects bounce tracking.) The other two are probably failing in Safari and Firefox, and will fail in Chrome (which is the majority of our traffic) starting mid-2024. (Although they have pushed back the deadline by multiple years already, so there is always the chance of that happening again.)

User impact

Users will have to log in once per "domain family" (wikipedia.org etc), instead of just once. For most users this will probably mean three separate logins: Wikipedia, Commons and Wikidata. (This can be sometimes mitigated by the centralauthtoken API, although it's cumbersome to use.) With a Wikimedia login with the "remember me" option checked lasting for a year, this is a small annoyance for most normal users. Temp users would be cut off from other projects entirely, though - autologin is the only login mechanism for them.

Mitigation options

  • Accept the UX degradation and don't do anything.
  • Accept the UX degradation and don't do anything in general, but improve the most problematic special cases.
    • Turn the centralauthtoken API into something more flexible (e.g. token reusable in multiple requests, less strict time limits).
    • Provide an explicit login mechanism for temp users, maybe something like Facebook's "tap the notification in another device where you are logged in" feature. (With third-party cookie restrictions, there would be no way to detect whether the user is logging in from same device, so this would also mean temp users could be logged in in multiple devices - not sure if that's a good thing or a bad thing.)
  • T335851: Investigate the Federated Credential Management browser API
  • T345589: Investigate the First-Party Sets / Related Website Sets browser API
  • Use popups instead of embedded resources, with requestStorageAccess() which on some browsers (Firefox, at least) have more lax heuristics.
  • Replace the current cross-domain authentication flows with something that involves user interaction with the central domain (i.e. users would have to click on the login link, and then maybe click through an interstitial, but wouldn't have to enter their credentials again). Possibly do all that in a popup. There are a number of unrelated reason why we might want to do this. We could use a more standard indentity provider protocol, such as OpenID Connect.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT345245 Mitigate phase-out of third-party cookies across in Wikimedia production
 OpenNoneT345249 Mitigate phase-out of third-party cookies in CentralAuth
 OpenTgrT345589 Investigate the First-Party Sets / Related Website Sets browser API
 StalledNoneT335851 Investigate the Federated Credential Management browser API
 OpenNoneT359947 Test cross-domain authentication with Federated Credentials Management API
 ResolvedTgrT326281 Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies)
 OpenNoneT348388 Use central login wiki for login (SUL3)
 StalledNoneT354482 Clean up login.wikimedia.org ahead of SUL3 login
 OpenNoneT356614 Do not do central login after security reauthentication
 OpenNoneT362713 Implement the new login process which redirects to the central login wiki for showing the login/signup form
 StalledNoneT363411 Run cancreateaccount checks in the context of another wiki
 ResolvedDAlangi_WMFT363483 Split CentralAuth primary authentication provider into loginwiki and non-loginwiki version
 ResolvedDAlangi_WMFT369650 Tokenize sensitive parameters in SUL3 URLs
 StalledNoneT364862 Render central login page with customizations from starting wiki
 ResolvedTgrT363699 Determine and implement SUL 3 login handshake mechanism
 OpenNoneT369467 SUL3: Consider adding interstitial when the user is already logged in centrally
 ResolvedDAlangi_WMFT369668 Figure out how to handle "remember me" flag in SUL3 login flow
 OpenNoneT372703 Set central session ID on the local wiki during SUL3 login
 ResolvedPRODUCTION ERRORTgrT373507 TypeError: Argument 1 passed to MediaWiki\Extension\CentralAuth\CentralAuthTokenManager::consume() must be of the type string, null given
 StalledNoneT364866 Adapt to changes in post-login/signup hooks after switching to a central login wiki
 OpenTgrT369180 Ensure no AuthenticationRequests are added to the local login flow in SUL3 mode
 ResolvedPRODUCTION ERRORTgrT373504 Wikimedia\NormalizedException\NormalizedException: Authentication failed because of inconsistent provider array
 ResolvedDAlangi_WMFT370810 Forward "campaign" parameter during SUL3 account creation
 ResolvedDAlangi_WMFT370813 Support signup mode in SUL3 local login
 In ProgressDAlangi_WMFT375788 Implement SUL3 central autologin
 OpenDAlangi_WMFT376488 Implement SUL3 central login for temp users
 DuplicateNoneT377141 Enable SUL3 central login for temporary accounts
 In ProgressDAlangi_WMFT375796 Synchronize SUL2 and SUL3 central browser state
 OpenNoneT362715 Move credentials change to central login wiki
 ResolvedArielGlennT354701 Enable migration of WebAuthn credentials to loginwiki
 OpenNoneT368125 Clean up existing unattached accounts
 Resolved matmarexT42050 Allow password reset requests to be handled centrally for unified users
 Resolved matmarexT151012 CentralAuth should have its own temporary password handling
 Resolved matmarexT371340 It should be possible to look up global preference for central users without local accounts
 Resolved matmarexT149003 TemporaryPasswordPrimaryAuthenticationProvider does not work with non-DB-based passwords
 OpenNoneT363695 Create a Wikimedia login domain that can be served by any wiki
 ResolvedTgrT365162 Set up sso.wikimedia.beta.wmflabs.org with config-layer routing to other wikis
 ResolvedsbassettT367995 Security Preview for shared login domain
 ResolvedTgrT373738 Audit special pages used on the SUL3 shared login domain for disallowing user JS
 OpenTgrT373737 Disable irrelevant extensions on SUL3 login domain
 OpenTgrT373732 Audit SUL3 shared-domain i18n messages for XSS
 Resolved matmarexT45646 "MediaWiki:Copyright" message allows raw HTML
 Resolved matmarexT371530 Support cross-domain $wgLoadScript URLs in ResourceLoader
 OpenArielGlennT371267 Create a script to backfill missing local accounts on loginwiki/metawiki for new global accounts
 ResolvedArielGlennT368230 Investigate missing loginwiki accounts
 Resolved matmarexT371596 Preserve mobile domain when using the shared login domain
 Resolved matmarexT371609 Rewrite URLs when using the shared login domain
 OpenArielGlennT378401 Start running backfillLocalAccounts.php
 OpenNoneT363706 Register Wikimedia wikis as a Related Website Set
 OpenNoneT364829 Update Wikimedia apps to use central login domain
 OpenNoneT364867 Determine SUL3 cookie exchange mechanism
 OpenNoneT359926 Test cross-domain cookie access with the Storage Access API and Related Website Sets
 OpenNoneT360104 Test cross-domain cookie access with OAuth-style popup + redirect workflow
 ResolvedNoneT364941 Decide on the login flow in MediaWiki under SUL3
 Resolved matmarexT364939 Provide a JavaScript library for logging in / signing up to MediaWiki via a popup
 Resolved matmarexT362706 Permit displaying the login / signup page in a popup or iframe
 Resolved matmarexT366486 Compare experimental login types on the beta cluster
 Resolved matmarexT366508 Compare our login popup to other sites
 ResolvedJTweed-WMFT367911 Explore full-page navigation as the default login flow in MediaWiki under SUL3
 ResolvedlarissagauliaT367912 Explore a popup window as the default login flow in MediaWiki under SUL3
 ResolvedTgrT367913 Explore an iframe overlay as the default login flow in MediaWiki under SUL3
 ResolvedpmiazgaT355281 Set up some beta cluster wikis with different registrable domain
 OpenNoneT368037 Estimate impact of SUL3 on bots
 OpenJTweed-WMFT375954 Create SUL 3 rollout plan for Wikimedia production
 ResolvedDAlangi_WMFT375787 Cookie-based feature flag for SUL3
 OpenNoneT376021 Migrate or disable WebAuthn on Wikimedia wikis
 OpenNoneT378402 Disallow setting up new WebAuthn passkeys on Wikimedia wikis
 OpenNoneT376561 Improve CentralAuth authentication PHPUnit tests
 OpenNoneT376562 Improve CentralAuth authentication browser tests
 OpenFeatureArielGlennT377140 Create notice and opt-out mechanism for SUL3
 ResolvedDAlangi_WMFT377924 [SUL3] Make the `usesul3=0` query parameter work as the inverse of `usesul3=1`
 OpenNoneT377142 Improve code quality for SUL3 shared domain logic
 OpenArielGlennT377144 Create method for opting users into SUL3 rollout
 Opennettrom_WMFT365586 Measure user impact of using a central login / signup page
 OpenpmiazgaT375955 Add a SUL3 flag to Statsd / Prometheus authentication metrics
 OpenNoneT377253 Add SUL3 flag to authentication-related event schemas
 OpenNoneT377261 Track the number of interrupted SUL3 logins / signups
 OpenNoneT377187 Set up sso.wikimedia.org
 OpenTgrT377258 Write mediawiki.org documentation for SUL3
 Stalled matmarexT370692 Review mobile login UX for SUL3
 OpenNoneT378722 Application Security Review Request : SUL3
 ResolvedTgrT355621 Gather metrics about the impact of third-party cookie blocking on login
 DuplicatepmiazgaT359948 Test cross-domain cookie access with Storage Access API
 ResolvedTgrT359957 Enroll in Chrome third-party cookies deprecation trial

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Tgr added a subtask: T335851: Investigate the Federated Credential Management browser API.Sep 5 2023, 11:40 AM
Tgr updated the task description. (Show Details)
Tgr added a comment.EditedSep 9 2023, 9:57 PM
In T326281#9154372, @Tgr wrote:

Tested by logging in on en.wikipedia.org, then visiting www.mediawiki.org (without "Keep me logged in" option):

Instant (<script>) autologinSpecial:UserLogin (top-level) autologin
Chrome 116 / Win 11works
Chrome 116 / Win 11 & Ubuntu (incognito mode)failsworks
Brave 1.57.62 / Win 11failsworks
Firefox 117 / Win 11 & Ubuntufailsworks
Firefox 117 / Win 11 & Ubuntu (private mode)failsworks
Edge 116 / Win 11works
Edge 116 / Win 11 (InPrivate window)works
Edge 116 / Win 11 (with "Block third-party cookies" option)failsworks
Opera 102 / Win 11works
Opera 102 / Win 11 (private mode)failsworks
Epiphany 44.6 / Ubuntu (as an approximation of Safari 16.4)failsworks
Epiphany 44.6 / Ubuntu (private mode)failsworks
Tgr mentioned this in T344444: CentralAuth login not working on mediawiki.org.Sep 11 2023, 12:35 PM
DAlangi_WMF changed the status of subtask T335851: Investigate the Federated Credential Management browser API from Open to In Progress.Sep 28 2023, 4:21 PM
Tgr changed the status of subtask T335851: Investigate the Federated Credential Management browser API from In Progress to Stalled.Sep 29 2023, 8:16 AM
Tgr mentioned this in T347889: Investigate why CentralAuth edge login fails in browsers that do not block third-party cookies.Oct 2 2023, 4:53 PM
Tgr mentioned this in T47578: CentralAuth does not log you into other projects that you have never visited under certain browser cookie settings.Oct 6 2023, 10:23 PM
Tgr mentioned this in T253620: Logged out after switching between mobile and desktop site on the log-in page and later back again.Oct 7 2023, 6:29 PM
Tgr merged a task: T253620: Logged out after switching between mobile and desktop site on the log-in page and later back again.
Tgr added subscribers: JohanahoJ, mdaniels5757, Krinkle, RhinosF1.
Tgr added subscribers: tstarling, TheDJ.Oct 7 2023, 6:57 PM

Copying over some relevant comments from other tasks (most of which I am merging into this one):

In T255366#8098164, @Tgr wrote:

That said, what they call Network Partitioning is enabled for everyone, and might have performance implications - details are scarce, but it seems to suggest e.g. DNS cache and HTTP cache would be split by referrer domain.

(See also Chrome status, where network partitioning is in origin trial.)
cc @Krinkle - not sure how significant this is for the client-side performance of Wikimedia sites.

In T226797#6877367, @tstarling wrote:

I filed the upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1696095

("Wikipedia SSO auto-login broken by state partitioning")

In T226797#8013020, @RhinosF1 wrote:

We've also had issues at Miraheze now ETP is rolled out. I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1774861 last night for Miraheze.

("Unable to login on miraheze wikis (mediawiki 1.38) with ETP - Standard Enabled")

In T253620#9233062, @Tgr wrote:

[...] cross-domain SameSite handling is identical in Chrome with third-party cookie-blocking on or off (or at least it was as of 2020 July): T257803#6315123 [...] That means login problems affected by cookie blocking user preferences are not SameSite related.

(ref: T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome)

In T226797#6878225, @TheDJ wrote:

Found this nice resource on storage access technical details, if anyone ever needs to work with that: https://github.com/rchild-okta/itp#storage-access

Tgr added a subtask: T326281: Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies).Oct 7 2023, 6:58 PM
Tgr added subscribers: TonyBallioni, Legoktm.
In T226797#8013018, @Legoktm wrote:

Can we start sketching out what SUL3 would look like? In my head I currently have an idea that the login link will send you to login.wikimedia.org with ?uselang and original URL preserved, then you log in, including 2FA, it redirects you back to where you came from with an OAuth style handshake. Then on another wiki family, you have to click login, but once you hit login.wikimedia.org it immediately redirects you back and you're now logged in. I'm not sure if there's a way to transparently do the wiki logins without redirecting back and forth...

In T226797#8458653, @Tgr wrote:

The next step [after T326281] would be to disable local login entirely on every wiki that is not the central login wiki. We could either keep triggering the central autologin logic from SpecialUserLogin, or make CentralAuthPrimaryAuthenticationProvider return a REDIRECT reponse instead of trying to do password-based authentication (AuthManager already knows to automatically redirect instead of showing the login page if there is only one primary auth provider and it redirects), and manipulate the last leg of autologin so that it redirects back into the normal login process. Still seems fairly easy to do, but all clients which provide their own login UI (e.g. the WMF apps) would have to update their code, and loginwiki would have to be prepared to a user-facing wiki.

I think the end goal should be for loginwiki to be an OIDC provider (standards are nice, makes it easier to understand and test, makes it easier to replace CentralAuth with something else), which it sort of already is via the OAuth extension (T254063: OAuth extension should support OpenID Connect) but we'd probably want CentralAuth to hook into OAuth and suppress the authorization dialog. The login page would then just perform an OIDC handshake and CentralAuthSessionProvider would probably store the OIDC bearer token in a cookie, instead of the current set of cookies.

In T226797#6881167, @Legoktm wrote:

It would be good to incorporate T248339: Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future in any SUL3 plans as well, as another auth problem caused by having multiple login domains.

In T226797#8496963, @TonyBallioni wrote:

Legoktm already told me on IRC the proposed solution here wouldn't start logging logins on loginwiki, but worth pointing out in case anyone thought there should be a CU impact: loginwiki was intentionally excluded from the implementation of tracking logins in the CU table when we made that change a few years ago because it would effectively create global CU. While this has been a steward wishlist item for a while, it doesn't have global consensus and is controversial/would probably need a global RfC to expand the steward mandate. For those unaware, loginwiki currently only tracks account creations in CU, and it was intentionally left that way when other wikis started to track logins.

Tgr mentioned this in T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox.Oct 7 2023, 6:59 PM
Tgr merged a task: T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox.
Tgr added subscribers: brooke, Jdforrester-WMF, Soda and 41 others.
Tgr added a comment.Oct 7 2023, 7:03 PM

I belatedly realized that the current extent of browser limitations doesn't explain why edge login doesn't work in Chrome (and presumably Edge and Opera, although I haven't tested those) and so that might be an easy fix. Tracking that in T347889: Investigate why CentralAuth edge login fails in browsers that do not block third-party cookies.

Tgr updated the task description. (Show Details)Oct 7 2023, 7:05 PM
Mainframe98 subscribed.Oct 7 2023, 9:08 PM
Tgr mentioned this in T348388: Use central login wiki for login (SUL3).Oct 7 2023, 11:39 PM
Tgr added a subtask: T348388: Use central login wiki for login (SUL3).Oct 7 2023, 11:44 PM
Tgr added a comment.Oct 7 2023, 11:48 PM

Filed T348388: Use central login wiki for login (SUL3) for the likely next step of doing login at a single dedicated domain, which might or might not be necessary to mitigate third-party cookie blocking (in the unlikely case that the First-Party Sets spec gets adopted, we could probably keep the current system) but has so many security and usability benefits that it can be justified even if we assume CentralAuth in its current form keeps working indefinitely.

larissagaulia moved this task from Current Sprint to Within 2 Qs on the MediaWiki-Platform-Team board.Nov 27 2023, 12:42 PM
Tgr mentioned this in T296349: Session not created on VoteWiki when using desktop site with a mobile user agent.Nov 30 2023, 5:26 PM
Tgr added a comment.Dec 27 2023, 1:55 AM

Chrome will disable third-party cookie access for 1% of users starting January 4th, 2024, ie. Thursday next week. (They plan to ramp up to 100% in Q3 2024; hopefully we have migrated away from our current login system by then.) Given Chrome is something like 80% of our userbase, there will probably be some bugs filed about this. In the shorter term, we can't do much about it (and it has already been the situation for a while for Firefox and Safari users), just noting.

ArielGlenn subscribed.Jan 2 2024, 12:45 PM
Tgr added a comment.Jan 17 2024, 4:27 AM
In T345249#9154375, @Tgr wrote:
In T326281#9154372, @Tgr wrote:

Tested by logging in on en.wikipedia.org, then visiting www.mediawiki.org (without "Keep me logged in" option):

Instant (<script>) autologinSpecial:UserLogin (top-level) autologin
Chrome 116 / Win 11works
Chrome 116 / Win 11 & Ubuntu (incognito mode)failsworks
Brave 1.57.62 / Win 11failsworks
Firefox 117 / Win 11 & Ubuntufailsworks
Firefox 117 / Win 11 & Ubuntu (private mode)failsworks
Edge 116 / Win 11works
Edge 116 / Win 11 (InPrivate window)works
Edge 116 / Win 11 (with "Block third-party cookies" option)failsworks
Opera 102 / Win 11works
Opera 102 / Win 11 (private mode)failsworks
Epiphany 44.6 / Ubuntu (as an approximation of Safari 16.4)failsworks
Epiphany 44.6 / Ubuntu (private mode)failsworks

I re-tested this as a preparation for another task, and found that cookies are sent to *.wikimedia.org domains, regardless of whether third-party cookie blocking is enabled in the browser; so e.g. when logging in on en.wikipedia.org and visiting commons.wikimedia.org, I am logged in threre. Tested this on both Chrome and Firefox, both worked. Doesn't seem to happen on any other domains, not even wikipedia.org. It's also happening on *.wikimedia.beta.wmflabs.org, but not e.g. *.wiktionary.beta.wmflabs.org.

No idea what's going on. The potential explanations I can think of is that we are accidentally setting cookies on .wikimedia.org at some *.wikimedia.org wiki (doesn't seem to be happening), that I have somehow configured a local override and forgot about it (can't find any trace of that) or that these domains ended up on some exception list that both Chrome and Firefox are using (sounds plausible for wikimedia.org, but for wmflabs? ).

Tgr added a comment.Jan 17 2024, 4:31 AM

I guess the more likely explanation is that these browsers are using something looser than same-origin (same parent domain?) for third-party cookie blocking, so loginwiki and other wikimedia.org wikis are considered in the same security bucket.

ArielGlenn added a comment.Jan 17 2024, 11:42 AM

Verified for Firefox: I logged out, deleted all *wik*org cookies except for non SUL sites (phab, etherpad and so on), set Enhanced Tracking Protection to "custom" and chose "All cross-site cookies" (see image below). After login at en.wikipedia, after the end of the redirect/session creation chain for commons.wikimedia.org, I have session cookies for commons with session id, UserId, UserName stored locally. When I go to visit commons,wm.o, these cookies are sent to the web server and I am logged in as a result.
Firefox version: 121.0, linux.

Screenshot from 2024-01-17 13-32-27.png (659×873 px, 55 KB)

Tgr mentioned this in T355280: Try to connect to central session before temp user creation.Jan 18 2024, 3:59 AM
Tgr mentioned this in T355621: Gather metrics about the impact of third-party cookie blocking on login.Jan 29 2024, 8:42 AM
Tgr added a subtask: T355621: Gather metrics about the impact of third-party cookie blocking on login.
Tgr closed subtask T355621: Gather metrics about the impact of third-party cookie blocking on login as Resolved.Jan 30 2024, 11:34 PM
Universal_Omega subscribed.Feb 4 2024, 8:53 PM
AllUsernamesArePicked subscribed.Feb 17 2024, 10:34 AM
Johannnes89 subscribed.Feb 21 2024, 3:38 PM
Vermont subscribed.Feb 22 2024, 1:12 AM
A_smart_kitten subscribed.Feb 23 2024, 4:37 PM
Tgr merged a task: T256525: Stay logged in doesn’t work, global login doesn’t work on different projects.Mar 5 2024, 1:27 PM
Tgr added subscribers: Ferdi2005, Afnecors, Draceane and 4 others.
Tgr added a subtask: T359926: Test cross-domain cookie access with the Storage Access API and Related Website Sets.Mar 12 2024, 12:06 PM
Tgr added a subtask: T359947: Test cross-domain authentication with Federated Credentials Management API.Mar 12 2024, 2:56 PM
Tgr added a subtask: T359948: Test cross-domain cookie access with Storage Access API.Mar 12 2024, 3:03 PM
Tgr added a comment.Mar 12 2024, 5:18 PM

Next step is to test the relevant browser APIs:

spec investigationtestbrowserfunctionality
RWST345589T359926Chromecookie access, probably on par with current
FedCMT335851T359947Chrome, Edge, Opera (maybe Firefox soon?)browser-mediated identity checks
Storage AccessT359948all moderncookie access after user interaction

Also Chrome offers a deprecation trial to delay when they apply third-party cookie blocking, and we have no reason not to make use of that (we can opt out of it later if we want) so we'll apply: T359957: Enroll in Chrome third-party cookies deprecation trial

Novem_Linguae unsubscribed.Mar 12 2024, 9:50 PM
Krinkle added a comment.Mar 13 2024, 10:22 PM

@Tgr Do we need a test for the top-level redirect chain as well? (i.e. OAuth-like, but using our existing code for the most part)

It sounds most like T359948: Test cross-domain cookie access with Storage Access API but there it says:

Maybe also check if we can avoid permission popups by relying on heuristics-based cookie blocking exceptions. […] But given that those exceptions are temporary, this might not be worth the effort.

Have any of Google, Apple or Mozilla announced an intent to deprecate or break OAuth-like redirects? This approach seems to me the most sustainable long-term. It would rely on proven technology, require no special vendor permission, and would show a UX that is least novel/surprising compared to other websites. I.e. the idea that you ocasionally click "Log in" on an affiliated site and choose your identity on loginwiki and bounce back.

I worry about introducing permission prompts into the UX, in particular the wording they might use and how that reflects on Wikipedia, at a time that virtually no major consumer sites use any of these three approaches (afaik).

Tgr added a comment.Mar 13 2024, 11:33 PM
In T345249#9628846, @Krinkle wrote:

Have any of Google, Apple or Mozilla announced an intent to deprecate or break OAuth-like redirects?

I think for Google at least the intent is quite clear. (The other two in general communicate much less about this topic; Google has a whole website dedicated to its privacy plans.) Their recommended replacements for authentication are RWS, FedCM and using a single domain.

OAuth-like experiences using anything other than a top-level redirect fall under their heuristics based exceptions policy, which they very clearly present as a temporary option. Top-level redirects fall under their bounce tracking mitigations policy which is permanent (or at least I haven't seen it described as temporary so far).

Do we need a test for the top-level redirect chain as well?

You are right that this is another potentially viable option (besides RWS, FedCM, the Storage API, and - for a while - heuristics based exceptions). I'm not sure what exactly we should be testing, though. We know it works (to some extent) - we are already using it in production. Bounce tracking mitigations were only rolled out in October 2023 (and then only for users with third-party cookie blocking, which had to be enabled manually until recently), so maybe it's working less now and we didn't notice? I guess that's worth checking. But we can do that in production, I don't think a test site would have much point.

(An extra source of uncertainty is that there is overlap between the heuristics based exceptions and bounce tracking, so I don't think we have a reliable way to tell what will happen once those exceptions go away.)

at a time that virtually no major consumer sites use any of these three approaches

Google's "Sign in with Google" popup will transition to FedCM soon, that's used by lots of largish sites (Medium for example).

We could have a look at what other SSO services say publicly about how they will handle the Privacy Sandbox changes.

This approach [OAuth-like redirects] seems to me the most sustainable long-term.

I suppose that depends on your definition of sustainable.
RWS would probably give us more power than any other option, although only on certain browsers. FedCM would probably take the minimal amount of effort in the long term, but as you point out it's at the cost of some loss of control.

Tgr added a comment.Mar 13 2024, 11:36 PM

I don't think a test site would have much point.

On second thought, one thing we might want to test is how redirects behave within programmatically opened popups. Top-level redirects in the main browser window are hard to use because they disrupt client-side state. Opening a popup and doing the redirect there is much more versatile, but I'm not 100% sure that would still be considered "top-level".

I'll file a task about that.

Tgr added a comment.Mar 14 2024, 3:53 PM
In T345249#9628930, @Tgr wrote:

I'll file a task about that.

T360104: Test cross-domain cookie access with OAuth-style popup + redirect workflow

kostajh mentioned this in T334623: How do we log unsuccessful first edits for temporary users?.Mar 22 2024, 1:17 PM
Daimona subscribed.Mar 22 2024, 1:53 PM
Tchanders mentioned this in T360870: How should we represent actors that do something loggable but don't create a temp account?.Mar 25 2024, 9:44 AM
fnegri subscribed.Mar 26 2024, 9:43 AM
Tgr added a subtask: T359957: Enroll in Chrome third-party cookies deprecation trial.Mar 28 2024, 9:15 PM
Tgr added a comment.Mar 29 2024, 10:34 AM

With third-party cookie blocking enabled, after a central login, Chrome's Issues tab says this:

Chrome may soon delete state for intermediate websites in a recent navigation chain
In a recent navigation chain, one or more websites accessed some form of local storage without prior user interaction. If these websites don't get such an interaction soon, Chrome will delete their state.
1 potentially tracking website: wikimedia.org
Learn more: Bounce tracking mitigations

which suggests central login and top-level autologin wouldn't survive the rollout of cookie blocking, either. I haven't reviewed the linked spec in full, but I think the relevant part is #bounce-tracking-mitigations-timers which basically says if a domain has not received user interaction in the last 45 days and it does not receive user interaction within 1 hour of the bounce tracking (ie. doing the central login redirect chain), all cookies, cache and other stored data for login.wikimedia.org will get scrubbed. This is much more aggressive than e.g. the bounce tracking mitigations used by Firefox and would render central login (in its current form) entirely useless.

Rodejong subscribed.Mar 29 2024, 10:40 AM
PixDeVl subscribed.Mar 29 2024, 12:02 PM
Tgr mentioned this in T359957: Enroll in Chrome third-party cookies deprecation trial.Apr 1 2024, 5:07 PM
Tgr closed subtask T359957: Enroll in Chrome third-party cookies deprecation trial as Resolved.Apr 1 2024, 6:54 PM
Tgr mentioned this in T345245: Mitigate phase-out of third-party cookies across in Wikimedia production.Apr 5 2024, 6:25 PM
Tgr added a subtask: T360104: Test cross-domain cookie access with OAuth-style popup + redirect workflow.Apr 15 2024, 7:48 PM
Wargo unsubscribed.Apr 21 2024, 1:46 PM
Tgr removed a subtask: T360104: Test cross-domain cookie access with OAuth-style popup + redirect workflow.May 14 2024, 10:09 AM
Tgr removed a subtask: T359926: Test cross-domain cookie access with the Storage Access API and Related Website Sets.
kostajh added a comment.Jul 9 2024, 9:44 AM

@Tgr is there a status update for this task? Asking in context of Temporary accounts rollout, where ideally we'd like for temporary accounts to persist reliably while navigating from one site to the next (since there is no possibility to log back in to one's account).

CentralAuth autologin (the ability to log in on one wiki and be also logged in everywhere else without having to enter credentials again on every site) has been significantly degraded to a non-trivial fraction of our users due to browsers' anti-tracking measures, and will probably be degraded for everyone by 2024 summer.

Are we seeing this degradation now?

Tgr added a comment.Jul 9 2024, 5:37 PM
In T345249#9964626, @kostajh wrote:

@Tgr is there a status update for this task? Asking in context of Temporary accounts rollout, where ideally we'd like for temporary accounts to persist reliably while navigating from one site to the next (since there is no possibility to log back in to one's account).

It went slower than I hoped, we are now aiming to start rollout during end of Q1. If you want to test the new login process in Beta, I think we'll have something basic there in about two weeks.

Note that there's no guarantee it will help with the two temp user problems (T355280 and T334623#9615751). Currently those are (to some extent, and could to a further extent) be solved by interaction-free access to the central login state, which might not be possible in the future. The goal of SUL3 is to ensure that authentication always involves user interaction on the central domain. That might allow some level of interaction-free behavior later (e.g. if you interact with the central domain once, you get interaction-free access to its cookies for a week) but it's going to be limited at best.

Are we seeing this degradation now?

No, Chrome revised their timeline so now they are going for January. Also we are opting out of their changes for now (T359957: Enroll in Chrome third-party cookies deprecation trial).

Bugreporter added a comment.Jul 24 2024, 3:15 AM

FYI: https://privacysandbox.com/news/privacy-sandbox-update/

Lydia_Pintscher subscribed.Aug 17 2024, 12:54 PM

Since last week we are getting editors complain about being logged out on Wikidata. Any chance this is related? T372702

Kuldeepburjbhalaike subscribed.Aug 17 2024, 1:05 PM
Johannnes89 added a comment.EditedAug 17 2024, 4:53 PM
In T345249#10071269, @Lydia_Pintscher wrote:

Since last week we are getting editors complain about being logged out on Wikidata. Any chance this is related? T372702

I've heard similar complaints about frequently being logged out of metawiki in the past couple of days

Krinkle reopened subtask T359957: Enroll in Chrome third-party cookies deprecation trial as Open.Aug 28 2024, 2:22 AM
JayCano added a project: Temporary accounts.Sep 12 2024, 12:59 PM
kostajh moved this task from Inbox to Triaged on the Temporary accounts board.Sep 13 2024, 11:15 AM
kostajh mentioned this in T375256: Cookie % has been rejected because it is foreign and does not have the "Partitioned" attribute.Sep 20 2024, 8:27 AM
Tgr closed subtask T359957: Enroll in Chrome third-party cookies deprecation trial as Resolved.Sep 29 2024, 9:27 AM
Thryduulf mentioned this in T372702: editors are repeatedly getting logged out (August 2024).Sun, Oct 27, 11:45 AM
Tgr mentioned this in T378722: Application Security Review Request : SUL3.Thu, Oct 31, 2:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits